Forwarded from: Jason Coombs <jasoncat_private> Cc: mbernardat_private > For example; The FDA and Health Canada "strongly-encourages" > Pharmaceuticals to validated the computers and systems that are use > to develop drugs. Quality Assurance in the computer business is much easier than in the pharma business. Scary thought, huh? Malicious software looks exactly like any other software: it's simply machine code instructions (or script instructions/byte code meant for an interpreter/virtual machine runtime). What do malicious amino acid and nucleic acid sequences look like? You guessed it, they look exactly like us. There's just no technical difference between a modern pharmaceutical and a human being. The way that QA works in the pharma business, we are all vulnerable to computer-based attacks that specifically target nucleic acid and amino acid synthesizers for the purpose of inserting malicious sequences (malicious genes, malicious aminos) that pharma companies have only one chance to detect in order to prevent serious harm: before they ship their product. A variety of lab tests are possible for optimal security in a pharma factory, including a simple weight measurement of the resulting biochemical compound -- the engineers know in advance what the precise weight will be of each sample of each correctly-constituted drug. But do they weigh each sample before shipping it out? Doubtful. They definitely cannot perform any destructive testing on each sample, so the security control boils down to one simple thing: preventing ALL executions of unauthorized code in the CPUs that control the synthesizers. Period. With a 100% success rate. No vulnerabilities. There is good reason to believe that in the present computing environment it is only a matter of time before a computer virus or other malware is designed to infect a particular brand of DNA/RNA/amino acid synthesizer control computer, instructing that computer to insert malicious sequences in the synthesized biological end product. Converting itself, if you'll forgive the whimsical musing of science fiction, from an infectious computer contaminant into a biological one. The frustrating thing is that we, as an industry, are still mired in the immature growth phase of argue, argue, argue, defend our own interests, defend, defend, defend, and this immaturity is driving us to seriously consider outlawing full disclosure... If we have any common sense left, we'll stop our self-interested bickering and tug-o-war struggles over control of little bits of software code "intellectual property" (are you listening, SCO ? MS ?) and acquire a little perspective. When the first person dies from a contaminated pharmaceutical, somebody better break the law (and violate their employment contract) and post the details of the exploit to full-disclosure or I'm going to hold them personally responsible when my family member becomes victim #2. Thoughtfully, Jason Coombs jasoncat_private -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private]On Behalf Of InfoSec News Sent: Wednesday, September 17, 2003 7:32 PM To: isnat_private Subject: Re: [ISN] Should Microsoft be Liable for Bugs? Forwarded from: Mark Bernard <mbernardat_private> Dear Associates, This is a frustrating problem the recreates itself on a seemingly weekly basis. For years now the software industry has regulated itself doing a pretty decent job and then came along M$. Everything has changed and will continue to change, increasing the integration and inherent dependencies of business systems with business processes perhaps its time for our industry to evolve as well. For example; The FDA and Health Canada "strongly-encourages" Pharmaceuticals to validated the computers and systems that are use to develop drugs. The validation process although designed to 'control' the environment is very flexible allowing differences in configurations so long as they are recorded and validated. The validating process must include a formal change management process/document management. The practice in truly ISO or Deming's TQM and its sadly missing from software development in general. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Sep 19 2003 - 01:39:29 PDT